Unsolved
This post is more than 5 years old
19 Posts
0
3189
IE Redirects
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:32 AM, on 4/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\msiexec.exe
G:\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [tblewhjg] C:\Documents and Settings\Owner\Local Settings\Application Data\irvkpxvtm\kgihmjttssd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tblewhjg] C:\Documents and Settings\Owner\Local Settings\Application Data\irvkpxvtm\kgihmjttssd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MozyPro Status.lnk = C:\Program Files\MozyPro\mozyprostat.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267743513437
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MozyPro Backup Service (mozyprobackup) - Mozy, Inc. - C:\Program Files\MozyPro\mozyprobackup.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6286 bytes
kevin27_b3d29f
1.5K Posts
0
May 3rd, 2010 12:00
Hi routeme2
Welcome to Dell Community Malware Removal Forums,
I'm K27 and i will be reviewing your log for you.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
MBAM will automatically start and you will be asked to update the program before performing a scan.
On the Scanner tab:
Back at the main Scanner screen:
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Next, please perform a rootkit scan:
If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.
Please post back the MBAM log and the ARK log, please remember that if the ARK tool crashes to please post the results from the quick scan.
Thanks
K27.
routeme2
19 Posts
0
May 3rd, 2010 18:00
Thanks for picking this up K27.
MBAM only spotted the windows notification methods on av, firewall, and auto updates.
Logs follow.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4063
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
5/3/2010 5:53:11 PM
mbam-log-2010-05-03 (17-53-11).txt
Scan type: Quick scan
Objects scanned: 128584
Time elapsed: 21 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
****************************************************************************************************
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-03 19:13:33
Windows 5.1.2600 Service Pack 3
Running: 05guimt5.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwtdapob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF09988D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF09952D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF09A00D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF0998C60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF099EEE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF099F110]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF09A26D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF0998D40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF0995950]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF09A10B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF09A0D00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF099EC50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF09A13E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF09957A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF099E9A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF099E7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF09A16D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF0998570]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF09A1980]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF0998A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF0995AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF09A0897]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF099F340]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF916FCE0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF916FC3C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF916FC14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF916FC28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF916FCB6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF916FCF6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF916FCCA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [60, 8C, 99, F0, E0, EE, 99, ...]
.text ntoskrnl.exe!_abnormal_termination + 234 804E2890 4 Bytes JMP 5F44192E
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F916FCCE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F916FC40 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP F916FC18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F916FCFA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F916FCE4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP F916FC2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 8059B1AB 5 Bytes JMP F916FCBA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP F916FC7C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? eofzwce.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\System32\DRIVERS\i8042prt.sys entry point in ".rsrc" section [0xF93DC194]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [60, 8C, 99, F0, E0, EE, 99, ...]
.text ntoskrnl.exe!_abnormal_termination + 234 804E2890 4 Bytes JMP 5F44192E
.text ntoskrnl.exe!KeSaveFloatingPointState + 11D 804F0EA6 7 Bytes JMP F916FCCE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ObOpenObjectByName + 95A 80568D59 5 Bytes JMP F916FC40 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP F916FC18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!CcCopyRead + 663 805736E6 5 Bytes JMP F916FCFA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F916FCE4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP F916FC2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 8059B1AB 5 Bytes JMP F916FCBA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!LsaDeregisterLogonProcess + 3D05 8064E77C 7 Bytes JMP F916FC7C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AF0000
.text C:\WINDOWS\System32\svchost.exe[384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\System32\svchost.exe[384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AF0025
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE0000
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AE0F63
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AE0F74
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AE0F8F
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AE0058
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AE0FC0
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AE00AB
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AE0084
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AE0F2D
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AE00C6
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AE00E1
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AE0047
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AE001B
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AE0073
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AE0FDB
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AE002C
.text C:\WINDOWS\System32\svchost.exe[384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AE0F48
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0036
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0FAF
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F001B
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F0FC0
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0000
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007F0058
.text C:\WINDOWS\System32\svchost.exe[384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0047
.text C:\WINDOWS\System32\svchost.exe[384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FB2
.text C:\WINDOWS\System32\svchost.exe[384] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E003D
.text C:\WINDOWS\System32\svchost.exe[384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0FD7
.text C:\WINDOWS\System32\svchost.exe[384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000
.text C:\WINDOWS\System32\svchost.exe[384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E002C
.text C:\WINDOWS\System32\svchost.exe[384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0011
.text C:\WINDOWS\System32\svchost.exe[384] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 007D001B
.text C:\WINDOWS\System32\svchost.exe[384] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007D000A
.text C:\WINDOWS\System32\svchost.exe[384] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007D0FE3
.text C:\WINDOWS\System32\svchost.exe[384] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007D0FD2
.text C:\WINDOWS\system32\services.exe[1100] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\services.exe[1100] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\services.exe[1100] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 003B0FE5
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 003B0065
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 003B004A
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003B0F7C
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 003B0F8D
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 003B0FB2
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 003B0093
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 003B0F4B
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003B0F1F
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003B00B8
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003B0F0E
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 003B0039
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 003B0FD4
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 003B0076
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 003B0FC3
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 003B0014
.text C:\WINDOWS\system32\services.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003B0F30
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F90
.text C:\WINDOWS\system32\services.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FAB
.text C:\WINDOWS\system32\services.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FBC
.text C:\WINDOWS\system32\services.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1100] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[1100] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1100] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[1100] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[1112] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\lsass.exe[1112] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\lsass.exe[1112] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FA0F72
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FA0F8D
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FA0F9E
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FA005B
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FA0FB9
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FA00C4
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FA009D
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FA00F0
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FA0F61
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FA0101
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FA0040
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FA0082
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FA0FCA
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FA001B
.text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FA00D5
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D8001E
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80F8D
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80FCD
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D8004A
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80039
.text C:\WINDOWS\system32\lsass.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FB2
.text C:\WINDOWS\system32\lsass.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70038
.text C:\WINDOWS\system32\lsass.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70027
.text C:\WINDOWS\system32\lsass.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D7000C
.text C:\WINDOWS\system32\lsass.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FB7
.text C:\WINDOWS\system32\lsass.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FD2
.text C:\WINDOWS\system32\lsass.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[1112] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\lsass.exe[1112] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\lsass.exe[1112] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D60025
.text C:\WINDOWS\system32\lsass.exe[1112] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D60040
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE00B8
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE009D
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE008C
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE004A
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F8B
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0109
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F66
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE011A
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE00D3
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE001E
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00E4
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD008E
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD007D
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FD0062
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FC0FBC
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FC0047
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FC002C
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FC0FCD
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FC0011
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00FB0011
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FB0FDB
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FB002E
.text C:\WINDOWS\system32\svchost.exe[1268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0FE5
.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CA0FC3
.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C900A4
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90093
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C9006C
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C9005B
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90040
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C900DA
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C900C9
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C9011A
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F81
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90F66
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F9E
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C900FF
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80058
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80FA5
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C8003D
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70FCD
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C7004E
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70029
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70FDE
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00C6002C
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03270000
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0327001B
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03270FE5
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0079000C
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0326000A
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03260F6D
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03260062
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03260F94
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03260051
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03260FD4
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03260098
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0326007D
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 032600DF
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 032600CE
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03260F35
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03260FAF
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03260FEF
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03260F52
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03260040
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0326002F
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 032600A9
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02DD0FE5
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02DD006C
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02DD002C
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02DD0011
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02DD0FAF
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02DD0000
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02DD0FCA
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FD, 8A]
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02DD0051
.text C:\WINDOWS\System32\svchost.exe[1464] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02DB000A
.text C:\WINDOWS\System32\svchost.exe[1464] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02DA000A
.text C:\WINDOWS\System32\svchost.exe[1464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03250053
.text C:\WINDOWS\System32\svchost.exe[1464] msvcrt.dll!system 77C293C7 5 Bytes JMP 03250038
.text C:\WINDOWS\System32\svchost.exe[1464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0325001D
.text C:\WINDOWS\System32\svchost.exe[1464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03250FEF
.text C:\WINDOWS\System32\svchost.exe[1464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03250FC8
.text C:\WINDOWS\System32\svchost.exe[1464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0325000C
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 02DC0000
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02DC0FEF
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02DC001D
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02DC002E
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 029C0FEF
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A30000
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A30FE5
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A20000
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A20F6B
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20F7C
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20F8D
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20F9E
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A20040
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A20F29
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A20071
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A200BB
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A200A0
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A200CC
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A20FB9
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A20011
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A20F46
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A20F18
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A10076
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A10FDB
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A10011
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A1005B
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A10000
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A10FB9
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C1, 88]
.text C:\WINDOWS\System32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A10040
.text C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0042
.text C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0027
.text C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FC8
.text C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FB7
.text C:\WINDOWS\System32\svchost.exe[1568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F000C
.text C:\WINDOWS\System32\svchost.exe[1568] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 007E001B
.text C:\WINDOWS\System32\svchost.exe[1568] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E0000
.text C:\WINDOWS\System32\svchost.exe[1568] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\System32\svchost.exe[1568] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0FDE
.text C:\WINDOWS\System32\svchost.exe[1568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007E0000
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007E0F91
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007E0086
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007E0069
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007E0058
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007E0FB6
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007E00A1
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007E0F65
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007E0F34
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007E00C3
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007E00E8
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007E003D
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007E0F76
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007E002C
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007E001B
.text C:\WINDOWS\System32\svchost.exe[1576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007E00B2
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780022
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780F87
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FDB
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780011
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780FA2
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00780044
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780033
.text C:\WINDOWS\System32\svchost.exe[1576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770049
.text C:\WINDOWS\System32\svchost.exe[1576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FBE
.text C:\WINDOWS\System32\svchost.exe[1576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770FE3
.text C:\WINDOWS\System32\svchost.exe[1576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0077000C
.text C:\WINDOWS\System32\svchost.exe[1576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0077002E
.text C:\WINDOWS\System32\svchost.exe[1576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0077001D
.text C:\WINDOWS\System32\svchost.exe[1576] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0076000A
.text C:\WINDOWS\System32\svchost.exe[1576] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00760FE5
.text C:\WINDOWS\System32\svchost.exe[1576] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00760FD4
.text C:\WINDOWS\System32\svchost.exe[1576] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00760027
.text C:\WINDOWS\System32\svchost.exe[1576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750FEF
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0060
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F6B
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0F7C
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0F8D
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F29
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0071
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0ED8
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0EF3
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB0096
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0F9E
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0F46
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0025
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0F18
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA002C
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0058
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CA0F9B
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP 50C03388
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0FB6
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F001D
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F000C
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FB7
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FA6
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0FD2
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 007E0FDE
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0FCD
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0FBC
.text C:\WINDOWS\system32\svchost.exe[1744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\Explorer.EXE[1972] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02AE000A
.text C:\WINDOWS\Explorer.EXE[1972] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02AE0FD4
.text C:\WINDOWS\Explorer.EXE[1972] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02AE0FE5
.text C:\WINDOWS\Explorer.EXE[1972] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[1972] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02AD0000
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02AD0F52
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02AD0F63
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02AD0F74
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02AD003D
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02AD0FAF
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02AD0F1A
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02AD0F37
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02AD0EDA
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02AD0EF5
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02AD008E
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02AD002C
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02AD0FE5
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02AD0062
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02AD001B
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02AD0FCA
.text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02AD0073
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02A70FD4
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02A70076
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02A70FE5
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02A7001B
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02A70065
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02A7000A
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02A70040
.text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02A70FB9
.text C:\WINDOWS\Explorer.EXE[1972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02A60FCA
.text C:\WINDOWS\Explorer.EXE[1972] msvcrt.dll!system 77C293C7 5 Bytes JMP 02A60FE5
.text C:\WINDOWS\Explorer.EXE[1972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02A60044
.text C:\WINDOWS\Explorer.EXE[1972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02A6000C
.text C:\WINDOWS\Explorer.EXE[1972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02A60055
.text C:\WINDOWS\Explorer.EXE[1972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02A6001D
.text C:\WINDOWS\Explorer.EXE[1972] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 028C0014
.text C:\WINDOWS\Explorer.EXE[1972] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 028C0FEF
.text C:\WINDOWS\Explorer.EXE[1972] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 028C0025
.text C:\WINDOWS\Explorer.EXE[1972] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 028C0FD2
.text C:\WINDOWS\Explorer.EXE[1972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02260FEF
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F099D3E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F099D900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F099DA60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F099D550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F099D550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F099D3E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F099D900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F099DA60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F099D3E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F099D550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F099DA60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F099D900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F099DA60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F099D900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F099D3E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F09AA9B0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F099D550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F099D3E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F099D900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F099DA60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F099D3E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F099D550] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F099DA60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F099D900] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F0995F70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F0996120] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F0995C80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F0996020] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1780] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1780] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mozypro.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mozypro.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
Device -> \Driver\atapi \Device\Harddisk0\DR0 FFB79EE4
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\System32\DRIVERS\i8042prt.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
kevin27_b3d29f
1.5K Posts
0
May 4th, 2010 00:00
Hi,
You have a pretty nasty Rootkit infection called TDL3
We can clean it but we have a bit of work to do.
PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS
Please:
Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:
Combo-fix MUST be save to your desktop before running the tool
5> * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only
You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.
DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should
Please include the C:\ComboFix.txt in your next reply for further review.
Thanks
routeme2
19 Posts
0
May 4th, 2010 06:00
ComboFix seemed to run fine.
I have seen a file called PEV coming and going in C:\Windows and Zone Alarm warned about it as I brought all the protection up after running ComboFix.
Log follows.
ComboFix 10-05-03.05 - Owner 05/04/2010 7:32.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.45 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\WindowsUpdate
C:\zip.exe
E:\Autorun.inf
Infected copy of c:\windows\system32\DRIVERS\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.
2010-05-04 11:21 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-05-04 11:21 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-05-02 00:12 . 2010-05-02 00:12 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-02 00:12 . 2010-05-02 00:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-01 04:13 . 2010-05-01 04:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-30 08:46 . 2010-04-14 16:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-30 08:46 . 2010-04-14 16:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-30 08:46 . 2010-04-14 16:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-30 08:46 . 2010-04-14 16:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-30 08:46 . 2010-04-14 16:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-30 08:46 . 2010-04-14 16:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-30 08:46 . 2010-04-14 16:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 14:09 . 2010-04-27 14:09 -------- d-----w- c:\program files\Trend Micro
2010-04-27 13:30 . 2010-04-27 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 20:02 . 2009-07-28 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 02:03 . 2010-03-19 21:51 574 ----a-w- C:\cleanup.bat
2010-05-01 16:37 . 2008-11-23 13:40 -------- d-----w- c:\documents and settings\Owner\Application Data\WIPE
2010-04-30 18:22 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee.com
2010-04-30 11:04 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee
2010-04-30 08:46 . 2006-09-13 22:49 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-29 19:39 . 2009-07-28 19:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-07-28 19:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 03:03 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\com.comcast.access
2010-04-14 16:29 . 2006-09-13 22:50 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-14 16:29 . 2006-09-13 22:49 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-14 16:29 . 2006-09-13 22:49 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-26 09:11 . 2006-10-10 02:34 -------- d-----w- c:\program files\Photodex Presenter
2010-03-25 18:15 . 2010-03-25 18:14 -------- d-----w- c:\program files\SONY
2010-03-25 18:15 . 2006-09-13 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 13:13 . 2008-10-28 19:45 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-03-19 13:46 . 2010-03-19 13:46 27671 ----a-w- C:\FileLister.vbe
2010-03-18 23:23 . 2006-09-13 18:23 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-03-18 23:23 . 2006-09-13 18:23 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-18 17:20 . 2010-03-18 17:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-17 13:02 . 2010-03-17 13:02 -------- d-----w- c:\documents and settings\Owner\Application Data\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-03-17 13:01 . 2010-03-17 13:01 -------- d-----w- c:\program files\ComcastAccess
2010-03-17 13:00 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-03-14 20:15 . 2006-10-29 11:48 2572 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-03-06 01:14 . 2010-03-06 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-06 01:02 . 2006-09-14 14:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-06 00:58 . 2010-03-06 00:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-06 00:47 . 2006-09-16 17:02 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-02-25 18:52 . 2010-02-25 18:52 72080 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro]
@="{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}"
[HKEY_CLASSES_ROOT\CLSID\{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro2]
@="{CBAFE103-79DA-46ca-BD9A-63CBF6282882}"
[HKEY_CLASSES_ROOT\CLSID\{CBAFE103-79DA-46ca-BD9A-63CBF6282882}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro3]
@="{8B99EA55-1AFF-4539-80A0-A71C6011CD84}"
[HKEY_CLASSES_ROOT\CLSID\{8B99EA55-1AFF-4539-80A0-A71C6011CD84}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-05-16 19968]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-03 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-03 185896]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyPro Status.lnk - c:\program files\MozyPro\mozyprostat.exe [2009-10-20 2885120]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23721:TCP"= 23721:TCP:BitComet 23721 TCP
"23721:UDP"= 23721:UDP:BitComet 23721 UDP
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/30/2010 4:46 AM 82952]
R1 mozyproFilter;mozyproFilter;c:\windows\system32\drivers\mozypro.sys [4/30/2007 8:18 AM 54776]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/30/2010 4:46 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/30/2010 4:47 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/30/2010 4:46 AM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/30/2010 4:46 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/30/2010 4:46 AM 88480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/30/2010 4:46 AM 55456]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [3/25/2010 2:14 PM 39048]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/30/2010 4:46 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/30/2010 4:46 AM 83496]
--- Other Services/Drivers In Memory ---
*Deregistered* - mfeavfk01
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-HijackThis - G:\HijackThis.exe
AddRemove-Photodex Presenter - c:\program files\Photodex Presenter\uninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 07:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2660)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\MozyPro\mozyproshell.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\MozyPro\mozyprobackup.exe
c:\program files\PurgeIE\PurgeIE_Service.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Real\RealPlayer\RealPlay.exe
.
**************************************************************************
.
Completion time: 2010-05-04 08:05:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 12:05
ComboFix2.txt 2010-03-23 16:49
ComboFix3.txt 2010-03-23 15:20
Pre-Run: 207,010,238,464 bytes free
Post-Run: 207,233,523,712 bytes free
- - End Of File - - 422EFEB32384DE569C2E9080F4C963AC
kevin27_b3d29f
1.5K Posts
0
May 4th, 2010 14:00
routeme2,
pev is nothing to worry about, it is a false positive, once we finish it will no longer be on your system.
Combo-Fix got the infection for us and is now clean, are you still being redirected?
The main reason that you keep getting infected is because the P2P program "bitcomet" has a open port through your firewall we are going to deal with that now.
Please post the log located at C:\Qoobox\Add-Remove Programs.txt
Thanks
K27
routeme2
19 Posts
0
May 4th, 2010 16:00
No redirects today, but only limited use. Still, so far so good. I noticed that "bitcomet" in the logs. Poked a non-apparant hole right through ZoneAlarm. Not so much a good thing.
Log follows:
Adobe AIR
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
BCWipe 2.0
Comcast Access
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.7
Dell ResourceCD
DivX Web Player
Easy CD Creator 5 Basic
FLV Player 1.3.3
GoToMeeting 4.5.0.452
HiJackThis
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 2
Logitech MouseWare 9.77
Malwarebytes' Anti-Malware
Maxtor Encryption
Maxtor OneTouch III
McAfee AntiVirus Plus
Microsoft .NET Framework 1.1
Microsoft Office XP Standard for Students and Teachers
Microsoft Silverlight
MotionDV STUDIO 5.3E LE for DV
Move Media Player
MozyPro Remote Backup
NetDuster Demo Version 2.3.5.0
Photodex Presenter
PurgeIE - 8.01
Quicken 2004
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Sony Digital Voice Editor 2
SoundMAX
Spybot - Search & Destroy 1.4
Stomp Backup MyPC
Stomp Backup MyPC Update Manager
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows XP Service Pack 3
WinRAR archiver
WinZip
Wipe
ZoneAlarm
kevin27_b3d29f
1.5K Posts
0
May 4th, 2010 23:00
Hi,
Please open ZoneAlarm and click "Program Control", then please click "Programs", you should then see a list of all the programs that are allowed access through ZoneAlarm, please find "BitComet" and then click each green tick next to "BitComet" and change it to "Block", the ticks should now become red crosses (X)
Once you have blocked BitComets access through the firewall, please reboot your machine and post a fresh Combo-Fix log.
Thanks
K27
routeme2
19 Posts
0
May 5th, 2010 05:00
"BitComet" does not appear in ZoneAlarm's Program Control list. I ran Combo-Fix and the log follows. The machine still seems to be running without issues so far. Should be able to give it a better workout today.
As an aside, the TDL3 pdf made for a fascinating read. Thank you for the link.
******************************************
ComboFix 10-05-04.05 - Owner 05/05/2010 6:27.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.106 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
2010-05-04 11:21 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-05-04 11:21 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-05-02 00:12 . 2010-05-02 00:12 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-02 00:12 . 2010-05-02 00:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-01 04:13 . 2010-05-01 04:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-30 08:46 . 2010-04-14 16:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-30 08:46 . 2010-04-14 16:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-30 08:46 . 2010-04-14 16:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-30 08:46 . 2010-04-14 16:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-30 08:46 . 2010-04-14 16:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-30 08:46 . 2010-04-14 16:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-30 08:46 . 2010-04-14 16:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 14:09 . 2010-04-27 14:09 -------- d-----w- c:\program files\Trend Micro
2010-04-27 13:30 . 2010-04-27 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 20:02 . 2009-07-28 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 02:03 . 2010-03-19 21:51 574 ----a-w- C:\cleanup.bat
2010-05-01 16:37 . 2008-11-23 13:40 -------- d-----w- c:\documents and settings\Owner\Application Data\WIPE
2010-04-30 18:22 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee.com
2010-04-30 11:04 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee
2010-04-30 08:46 . 2006-09-13 22:49 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-29 19:39 . 2009-07-28 19:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-07-28 19:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 13:56 . 2010-04-29 13:56 109056 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-28 03:03 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\com.comcast.access
2010-04-27 17:27 . 2010-04-27 17:45 136192 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-27 14:09 . 2010-04-27 14:09 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-26 21:55 . 2010-04-26 21:55 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-26 14:59 . 2010-04-26 15:05 1616384 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-14 16:29 . 2006-09-13 22:50 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-14 16:29 . 2006-09-13 22:49 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-14 16:29 . 2006-09-13 22:49 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-26 09:11 . 2006-10-10 02:34 -------- d-----w- c:\program files\Photodex Presenter
2010-03-25 18:15 . 2010-03-25 18:14 -------- d-----w- c:\program files\SONY
2010-03-25 18:15 . 2006-09-13 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 15:31 . 2006-12-06 13:47 29745003 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-03-23 13:13 . 2008-10-28 19:45 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-03-19 13:46 . 2010-03-19 13:46 27671 ----a-w- C:\FileLister.vbe
2010-03-19 12:07 . 2010-03-19 12:55 923648 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-03-18 23:23 . 2006-09-13 18:23 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-03-18 23:23 . 2006-09-13 18:23 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-18 17:20 . 2010-03-18 17:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-18 14:33 . 2010-03-18 14:33 2754560 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-03-17 13:02 . 2010-03-17 13:02 -------- d-----w- c:\documents and settings\Owner\Application Data\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-03-17 13:01 . 2010-03-17 13:01 -------- d-----w- c:\program files\ComcastAccess
2010-03-17 13:00 . 2010-03-17 13:00 144162 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2010-03-17 13:00 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-03-17 13:00 . 2009-12-18 03:27 5603776 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll
2010-03-14 20:15 . 2006-10-29 11:48 2572 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-03-06 00:55 . 2010-03-17 13:17 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 00:55 . 2010-03-06 00:58 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 00:52 . 2010-03-06 00:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-06 00:47 . 2010-03-06 00:47 55432 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\Acrobat\7.0\Updater\DLMUninst_001.exe
2010-03-05 02:03 . 2006-09-13 18:12 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-25 18:52 . 2010-02-25 18:52 72080 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-23_15.16.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-04 11:49 . 2010-05-04 11:49 16384 c:\windows\Temp\Perflib_Perfdata_1d4.dat
+ 2010-03-25 18:14 . 2001-08-31 20:14 57344 c:\windows\system32\StrmOut.dll
+ 2010-03-25 18:14 . 2005-07-04 12:56 86016 c:\windows\system32\spicc.dll
+ 2010-03-25 18:14 . 2002-03-01 20:25 69632 c:\windows\system32\spc.dll
+ 2010-03-25 18:14 . 2001-12-13 17:44 65536 c:\windows\system32\rcnv2.dll
+ 2010-03-25 18:14 . 2006-02-01 23:05 94208 c:\windows\system32\IcdYsys.dll
+ 2010-03-25 18:14 . 2003-06-26 15:49 61440 c:\windows\system32\ICDUSB2.dll
+ 2010-03-25 18:14 . 2000-11-14 20:00 49664 c:\windows\system32\ICDUSB.dll
+ 2010-03-25 18:14 . 2003-04-02 02:08 24576 c:\windows\system32\IcdSptSvps.dll
+ 2010-03-25 18:14 . 2003-04-02 02:08 69632 c:\windows\system32\IcdSptSv.exe
+ 2010-03-25 18:14 . 2006-02-03 19:19 57344 c:\windows\system32\IcdSpi.dll
+ 2010-03-25 18:14 . 2002-04-04 23:52 28672 c:\windows\system32\IcdShare.dll
+ 2010-03-25 18:14 . 2005-10-20 13:10 61440 c:\windows\system32\IcdSConv.dll
+ 2010-03-25 18:14 . 2005-07-04 15:11 77824 c:\windows\system32\IcdMSCom.dll
+ 2010-03-25 18:14 . 2001-04-26 01:44 28160 c:\windows\system32\icdcomm.dll
+ 2010-03-25 18:14 . 2006-01-17 21:25 86016 c:\windows\system32\IcdCdda.dll
+ 2010-03-25 18:14 . 2001-03-07 19:23 81920 c:\windows\system32\dsp_trc.dll
+ 2010-03-25 18:14 . 2001-11-05 23:05 61440 c:\windows\system32\DSConv.dll
+ 2010-03-25 18:14 . 2002-11-29 01:23 39048 c:\windows\system32\drivers\IcdUsb2.sys
+ 2010-03-25 18:14 . 2001-10-31 17:20 26409 c:\windows\system32\drivers\Icdusb.sys
+ 2010-03-25 18:15 . 2003-10-01 21:44 31744 c:\windows\system32\drivers\IcdSX.sys
+ 2006-09-13 18:15 . 2010-05-05 06:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-13 18:15 . 2010-03-23 14:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-13 18:15 . 2010-03-23 14:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-04 16:09 . 2010-05-05 06:01 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-03-25 18:15 . 2001-09-13 06:15 90112 c:\windows\snymsico.dll
+ 2009-12-22 01:09 . 2009-12-22 01:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 06:57 . 2009-12-22 06:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-22 01:02 . 2009-12-22 01:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-22 04:21 . 2009-12-22 04:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-22 04:37 . 2009-12-22 04:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 23:39 . 2009-12-21 23:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 23:27 . 2009-12-21 23:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 23:27 . 2009-12-21 23:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2009-01-05 19:44 . 2009-01-05 19:44 53248 c:\windows\bdoscandel.exe
+ 2010-03-24 13:58 . 2010-03-24 13:58 86016 c:\windows\BDOSCAN8\librtvr.dll
+ 2010-03-24 13:58 . 2010-03-24 13:58 27136 c:\windows\BDOSCAN8\avxt.dll
+ 2010-03-24 13:58 . 2010-03-24 13:58 10240 c:\windows\BDOSCAN8\avxs.dll
+ 2010-03-24 13:58 . 2010-03-24 13:58 45056 c:\windows\BDOSCAN8\avxdisk.dll
+ 2010-03-25 18:14 . 2002-06-24 18:50 122880 c:\windows\system32\trc.dll
+ 2010-03-25 18:14 . 2001-11-30 16:15 323584 c:\windows\system32\LPEC.dll
+ 2010-03-25 18:14 . 2001-01-10 11:47 317440 c:\windows\system32\IcdXa.dll
+ 2010-03-25 18:14 . 2002-08-26 18:22 209408 c:\windows\system32\IcdStor2.dll
+ 2010-03-25 18:14 . 2006-01-23 20:57 176128 c:\windows\system32\IcdShlex.dll
+ 2010-03-25 18:14 . 2003-02-05 14:36 208896 c:\windows\system32\ICDFConv.dll
+ 2010-03-25 18:14 . 2005-10-03 16:52 118784 c:\windows\system32\icdcomm3.dll
+ 2010-03-25 18:14 . 2004-08-28 17:08 122880 c:\windows\system32\icdcomm2.dll
+ 2009-12-21 23:35 . 2009-12-21 23:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-22 01:05 . 2009-12-22 01:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-21 23:34 . 2009-12-21 23:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-10 00:18 . 2009-11-10 00:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-22 01:02 . 2009-12-22 01:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-21 23:43 . 2009-12-21 23:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 06:57 . 2009-12-22 06:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 23:15 . 2009-12-21 23:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-22 00:32 . 2009-12-22 00:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-22 00:15 . 2009-12-22 00:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2009-01-05 19:44 . 2009-01-05 19:44 741376 c:\windows\Downloaded Program Files\ipsupd.dll
+ 2009-01-05 19:44 . 2010-03-24 13:58 142848 c:\windows\BDOSCAN8\libfn.dll
+ 2009-01-05 19:44 . 2009-01-05 19:44 741376 c:\windows\BDOSCAN8\ipsupd.dll
+ 2009-01-05 19:44 . 2010-03-24 14:04 107800 c:\windows\BDOSCAN8\bdcore.dll
+ 2010-04-27 13:53 . 2010-04-27 13:53 1094656 c:\windows\Installer\2e728ab.msi
+ 2009-12-21 23:29 . 2009-12-21 23:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-22 04:31 . 2009-12-22 04:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\49da9.msp
+ 2009-12-22 04:21 . 2009-12-22 04:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro]
@="{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}"
[HKEY_CLASSES_ROOT\CLSID\{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro2]
@="{CBAFE103-79DA-46ca-BD9A-63CBF6282882}"
[HKEY_CLASSES_ROOT\CLSID\{CBAFE103-79DA-46ca-BD9A-63CBF6282882}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro3]
@="{8B99EA55-1AFF-4539-80A0-A71C6011CD84}"
[HKEY_CLASSES_ROOT\CLSID\{8B99EA55-1AFF-4539-80A0-A71C6011CD84}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-05-16 19968]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-03 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-03 185896]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyPro Status.lnk - c:\program files\MozyPro\mozyprostat.exe [2009-10-20 2885120]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23721:TCP"= 23721:TCP:BitComet 23721 TCP
"23721:UDP"= 23721:UDP:BitComet 23721 UDP
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/30/2010 4:46 AM 82952]
R1 mozyproFilter;mozyproFilter;c:\windows\system32\drivers\mozypro.sys [4/30/2007 8:18 AM 54776]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/30/2010 4:46 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/30/2010 4:47 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/30/2010 4:46 AM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/30/2010 4:46 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/30/2010 4:46 AM 88480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/30/2010 4:46 AM 55456]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [3/25/2010 2:14 PM 39048]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/30/2010 4:46 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/30/2010 4:46 AM 83496]
--- Other Services/Drivers In Memory ---
*Deregistered* - mfeavfk01
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 06:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-05-05 06:45:33
ComboFix-quarantined-files.txt 2010-05-05 10:45
ComboFix2.txt 2010-05-04 12:05
ComboFix3.txt 2010-03-23 16:49
ComboFix4.txt 2010-03-23 15:20
Pre-Run: 206,988,148,736 bytes free
Post-Run: 206,979,784,704 bytes free
- - End Of File - - 8259D79091BAC7EBC5A0B5015F62234B
kevin27_b3d29f
1.5K Posts
0
May 5th, 2010 14:00
routeme2,
PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS
Please:
Anti Spyware
Next we are going to run Combo-Fix in a slightly different way
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quote box below into it:
Folder::
c:\documents and settings\All Users\Application Data\avG
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23721:TCP"=-
"23721:UDP"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Thanks
K27.
kevin27_b3d29f
1.5K Posts
0
May 5th, 2010 16:00
routeme2,
You are more than Welcome, its my pleasure,
The logs look good, we will run one more precautionary scan just to be sure.
Please disable all active protection before running the on-line scan.
Run an online virus scan called Kaspersky from HERE.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
routeme2
19 Posts
0
May 5th, 2010 16:00
I very much appreciate your time, efforts and expertise. Thanks for doing what you do.
Combo-Fix ran fine. Log follows.
************************************
ComboFix 10-05-05.04 - Owner 05/05/2010 17:33:04.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.112 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\avG
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
2010-05-04 11:21 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-05-04 11:21 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-05-02 00:12 . 2010-05-02 00:12 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-02 00:12 . 2010-05-02 00:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-01 04:13 . 2010-05-01 04:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-30 08:46 . 2010-04-14 16:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-30 08:46 . 2010-04-14 16:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-30 08:46 . 2010-04-14 16:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-30 08:46 . 2010-04-14 16:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-30 08:46 . 2010-04-14 16:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-30 08:46 . 2010-04-14 16:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-30 08:46 . 2010-04-14 16:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 14:09 . 2010-04-27 14:09 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 20:02 . 2009-07-28 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 02:03 . 2010-03-19 21:51 574 ----a-w- C:\cleanup.bat
2010-05-01 16:37 . 2008-11-23 13:40 -------- d-----w- c:\documents and settings\Owner\Application Data\WIPE
2010-04-30 18:22 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee.com
2010-04-30 11:04 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee
2010-04-30 08:46 . 2006-09-13 22:49 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-29 19:39 . 2009-07-28 19:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-07-28 19:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 13:56 . 2010-04-29 13:56 109056 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-28 03:03 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\com.comcast.access
2010-04-27 17:27 . 2010-04-27 17:45 136192 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-27 14:09 . 2010-04-27 14:09 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-26 21:55 . 2010-04-26 21:55 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-26 14:59 . 2010-04-26 15:05 1616384 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-14 16:29 . 2006-09-13 22:50 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-14 16:29 . 2006-09-13 22:49 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-14 16:29 . 2006-09-13 22:49 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-26 09:11 . 2006-10-10 02:34 -------- d-----w- c:\program files\Photodex Presenter
2010-03-25 18:15 . 2010-03-25 18:14 -------- d-----w- c:\program files\SONY
2010-03-25 18:15 . 2006-09-13 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 15:31 . 2006-12-06 13:47 29745003 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-03-23 13:13 . 2008-10-28 19:45 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-03-19 13:46 . 2010-03-19 13:46 27671 ----a-w- C:\FileLister.vbe
2010-03-19 12:07 . 2010-03-19 12:55 923648 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-03-18 23:23 . 2006-09-13 18:23 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-03-18 23:23 . 2006-09-13 18:23 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-18 17:20 . 2010-03-18 17:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-18 14:33 . 2010-03-18 14:33 2754560 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-03-17 13:02 . 2010-03-17 13:02 -------- d-----w- c:\documents and settings\Owner\Application Data\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-03-17 13:01 . 2010-03-17 13:01 -------- d-----w- c:\program files\ComcastAccess
2010-03-17 13:00 . 2010-03-17 13:00 144162 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2010-03-17 13:00 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-03-17 13:00 . 2009-12-18 03:27 5603776 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll
2010-03-14 20:15 . 2006-10-29 11:48 2572 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-03-06 00:55 . 2010-03-17 13:17 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 00:55 . 2010-03-06 00:58 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 00:52 . 2010-03-06 00:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-06 00:47 . 2010-03-06 00:47 55432 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\Acrobat\7.0\Updater\DLMUninst_001.exe
2010-03-05 02:03 . 2006-09-13 18:12 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-25 18:52 . 2010-02-25 18:52 72080 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
.
((((((((((((((((((((((((((((( SnapShot_2010-05-05_10.39.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-05 10:50 . 2010-05-05 10:50 16384 c:\windows\Temp\Perflib_Perfdata_718.dat
+ 2006-09-13 18:15 . 2010-05-05 18:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-13 18:15 . 2010-05-05 06:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-05 11:56 . 2010-05-05 18:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro]
@="{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}"
[HKEY_CLASSES_ROOT\CLSID\{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro2]
@="{CBAFE103-79DA-46ca-BD9A-63CBF6282882}"
[HKEY_CLASSES_ROOT\CLSID\{CBAFE103-79DA-46ca-BD9A-63CBF6282882}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro3]
@="{8B99EA55-1AFF-4539-80A0-A71C6011CD84}"
[HKEY_CLASSES_ROOT\CLSID\{8B99EA55-1AFF-4539-80A0-A71C6011CD84}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-05-16 19968]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-03 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-03 185896]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyPro Status.lnk - c:\program files\MozyPro\mozyprostat.exe [2009-10-20 2885120]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/30/2010 4:46 AM 82952]
R1 mozyproFilter;mozyproFilter;c:\windows\system32\drivers\mozypro.sys [4/30/2007 8:18 AM 54776]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/30/2010 4:46 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/30/2010 4:47 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/30/2010 4:46 AM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/30/2010 4:46 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/30/2010 4:46 AM 88480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/30/2010 4:46 AM 55456]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [3/25/2010 2:14 PM 39048]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/30/2010 4:46 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/30/2010 4:46 AM 83496]
--- Other Services/Drivers In Memory ---
*Deregistered* - mfeavfk01
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 17:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-05-05 17:51:58
ComboFix-quarantined-files.txt 2010-05-05 21:51
ComboFix2.txt 2010-05-05 10:45
ComboFix3.txt 2010-05-04 12:05
ComboFix4.txt 2010-03-23 16:49
ComboFix5.txt 2010-05-05 21:31
Pre-Run: 206,916,886,528 bytes free
Post-Run: 206,880,358,400 bytes free
- - End Of File - - 97B2A0A466CB35EC03BEFD261C540D48
routeme2
19 Posts
0
May 6th, 2010 04:00
The Kaspersky scan ran fine. It took a little while to load and run. Machine has not had any apparent issues and is running well. Four items in the scan report are two old e-mails archived in two different places. Scan report follows.
******************************************
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 6, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 06, 2010 00:22:28
Records in database: 4060925
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 79531
Threats found: 2
Infected objects found: 2
Suspicious objects found: 10
Scan duration: 05:41:56
File name / Threat / Threats count
C:\MAIL ARCH 0811\findit.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\MAIL ARCH 0811\Personal 0609A.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\i8042prt.sys.vir_ Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{6881C59C-38AA-48EF-A269-3203EF944BD9}\RP1355\A0191047.sys Infected: Rootkit.Win32.TDSS.ap 1
E:\MAIL ARCH 0811\findit.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
E:\MAIL ARCH 0811\Personal 0609A.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 4
Selected area has been scanned.
kevin27_b3d29f
1.5K Posts
0
May 6th, 2010 09:00
routeme2,
We need to delete them e-mails, they are infeccted and as such, can very easly infect you again, the other bits are located in Combo-Fixs quarantine and in system restore and pose no threat as long as they are kept there and you dont do a system restore.
Next we are going to run Combo-Fix again to remove the infected E-mails
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quote box below into it:
File::
C:\MAIL ARCH 0811\findit.dbx
C:\MAIL ARCH 0811\Personal 0609A.dbx
E:\MAIL ARCH 0811\findit.dbx
E:\MAIL ARCH 0811\Personal 0609A.dbx
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Thanks
K27.
kevin27_b3d29f
1.5K Posts
0
May 11th, 2010 10:00
Hi routeme2,
Please let me know if you still require assistance,
Thanks
K27
routeme2
19 Posts
0
May 11th, 2010 18:00